In the overwhelming sea of information, access to timely, insightful and independent open-source intelligence (OSINT) analyses is crucial for maintaining the necessary situational awareness to stay on the top of emerging security threats. This blog covers trends and fads, tactics and strategies, intersecting with third-party research, speculations and real-time CYBERINT assessments, all packed with sarcastic attitude

- despite that the recommended DoS tool itself in the previous post is detected by almost all the anti virus vendors, in a people's information warfare situation, the participants will on purposely turn off their AVs to be able to use it

- the Electronic Jihad program is an example of poorly coded one, poorly in the sense of obtaining lists of the sites to be attacked from a single location, so you have a situation with 1000 wannabe cyber jihadists not being able to attack anyone in a coordinated manner given the host gets shut down

- the central update locations at the al-jinan.net domain are down, thank you Warintel, and so are the several others included, so you have a situation where forums and people start recommending the tool, they obtained it before the site was shut down, but couldn't get the targets to be attacked list

Time to assess the binary. The program archive's fingerprints as originally distributed :

File size: 358490 bytes

MD5: f38736dd16a5ef039dda940941bb2c0d

SHA1: 769157c6d3fe01aeade73a2de71e54e792047455

No AV detects this one.

E-Jihad.exe as the main binary

File size: 94208 bytes

MD5: caf858af42c3ec55be0e1cca7c86dde3

SHA1: f61fde991bfcc6096fa1278315cad95b1028cb4b

ClamAV - Flooder.VB-15

Panda - Suspicious file

Symantec - Hacktool.DoS

In a people's information warfare incident where the ones contributing bandwidth would on purposely shut down their AVs, does it really matter whether or not an perimeter defense solution detects it? It does from the perspective of wannabe cyber jihadists wanting to using their company's bandwidth for the purposely, an environment in which they are hopefully not being able to shut down the AV, thus forwarding the responsibility for the participation in the attack to their companies.

Al-jinan.org has been down since the Electronic Jihad Against Infidel Sites campaign became evident, the question is - where's the current DDoS campaign site? A mirror of the first campaign is available here - al-ansar.virtue.nu. Cached copy of al-jinan.net (202.71.104.200) is still available. Emails related to Al Ansar Hacking Group - the_crusaders_hell @ yahoo.com; the_crusaders_hell @ hotmail.com; al-ansar @ gooh.net Now the interesting part - where are Al-Jinan's new target synchronization URLs, and did they actually diversified them given that Al-Jinan.net is now down courtesy of what looks like Warintel's efforts? Partly. Here are the update URLs found within the binary :

al-jinan.net/ntarg.php?notdoing=yes

al-jinan.net/ntarg.php?howme=re

al-jinan.net/tlog.php?

al-jinan.net/tnewu.php?

arddra.host.sk/ntarg.php

jofpmuytrvcf.com/ntarg.php

jo-uf.net/ntarg.php

All are down, and jo-uf.net was among the domains used in the first version of the attack. If you think about it, even a wannabe botnet master will at least ensure the botnet's update locations are properly hardcoded within the malware. More details on jo-uf.net.

Let's discuss what cyber jihad isn't. Cyber jihad is anything but shutting down the critical infrastructure of a country in question, despite the potential for blockbuster movie scenario here. It's news stories like these, emphasizing on abusing the Internet medium for achieving their objectives in the form of recruitment, research, fund raising, propaganda, training, compared to wanting to shut it down. Logically, this is where all the investments go, because this is the most visible engagement point between a government and potential cyber terrorists - its critical infrastructure. I'm not saying don't invest in securing it, I'm just emphasizing on the fact that you should balance such spendings with the pragmatic reality which can be greatly described by using an analogy from the malware world, and how what used to be destructive viruses are now the types of malware interested in abusing your data, not destroying it.